The spy agency that dared not speak its name is now the Joe Rogan of the SIGINT set. And the pod's actually worth a listen.

My first story for WIRED—yep, 31 years ago—looked at a group of “crypto rebels” who were trying to pry strong encryption technology from the government-classified world and send it into the mainstream. Naturally I attempted to speak to someone at the National Security Agency for comment and ideally get a window into its thinking. Unsurprisingly, that was a no-go, because the NSA was famous for its reticence. Eventually we agreed that I could fax (!) a list of questions. In return I got an unsigned response in unhelpful bureaucratese that didn’t address my queries. Even that represented a loosening of what once was total blackout on anything having to do with this ultra-secretive intelligence agency. For decades after its post–World War II founding, the government revealed nothing, not even the name, of this agency and its activities. Those in the know referred to it as “No Such Agency.”

In recent years, the widespread adoption of encryption technology and the vital need for cybersecurity has led to more openness. Its directors began to speak in public; in 2012, NSA director Keith Alexander actually keynoted Defcon. I’d spent the entire 1990s lobbying to visit the agency for my book _Crypto_; in 2013, I finally crossed the threshold of its iconic Fort Meade Headquarters for an on-the-record conversation with officials, including Alexander. NSA now has social media accounts on Twitter, Instagram, Facebook. And there is a form on the agency website for podcasters to request guest appearances by an actual NSA-ite.

So it shouldn’t be a total shock that NSA is now _doing its own podcast._ You don’t need to be an intelligence agency to know that pods are a unique way to tell stories and hold people’s attention. The first two episodes of the seven-part season dropped this week. It’s called _No Such Podcast_, earning some self-irony points from the get-go.

In keeping with the openness vibe, the NSA granted me an interview with an official in charge of the project—one of the de facto podcast producers, a title that apparently is still not an official NSA job posting. Since NSA still gotta NSA, I can’t use this person’s name. But my source did point out that in the podcast itself, both the hosts and the guests—who are past and present agency officials—speak under their actual identities. We conducted the interview via Microsoft Teams; my spokesperson and one of the hosts were in a room with an impressive background of the official seals of the NSA, the Central Security Service, and the United States Cyber Command. I did my end from a World Trade Center conference room, praying my Wi-Fi wouldn’t cut out.

Why an NSA podcast? The spokesperson explains that the NSA has the world’s best cryptologists and cryptanalysts, all of whom work in silence, and the agency wanted to talk about their critical and amazing work. “The podcast,” the spokesperson says, “is a medium that allows for good storytelling and conversation that is distinct from things we already engage in. It provides a different level of connection.” I later received a statement from Sara Siegle, the NSA’s head of strategic communications, echoing that point: “NSA believes in showcasing the incredible, dedicated work of our diverse, expert workforce. _No Such Podcast_ extends our existing efforts into a new and growing medium.” Got it.

I suggest some secondary motivations. Some of the NSA’s social media posts solicit workers, and this podcast seems likewise designed to appeal to STEM graduates who might place patriotism over working for Google or a startup. My source acknowledged that this was the case. “Recruitment is not the number one goal of the podcast, but we are certainly hoping that by showcasing the work we do here, and the real people on the show who work here, listeners might say, ‘Oh, that sounds like a really cool job—and that person seems pretty normal, right?’”

The NSA also apparently sees the podcast as a chance to answer some critics who charge that the agency is a Big Brother-ish snooping operation that threatens our privacy. In the very first episode, guest speaker Natalie Laing, the NSA’s director of operations, speaks at length about how the NSA limits itself to information relevant to national security and similar imperatives. “Compliance is our number one focus,” she says. By hitting this note so hard that my Apple Watch sent me a volume alert, the NSA seems to be using the podcast format to address suspicions that it violates privacy—especially after the shocking revelations from Edward Snowden about how much stuff the NSA does grab. (I am told Snowden’s name is not uttered in the entire NSA podcast series—no such person?)

The NSA used fairly traditional marketing skills to figure out the format of its podcast. It checked out not only popular pods, but those of its sister intelligence agencies. Yes, the CIA and FBI are already in the game. The NSA finally settled on a classical interview format where a revolving set of four hosts—not outside professionals, but the winners of an internal talent search for employees with broadcast skills—talk with officials about the agency’s operations and exploits. “We definitely wanted that conversational tone that provides space for our guests to share their expertise and stories in a way that doesn’t really feel like lectures,” says my spokesperson. The podcasts were recorded in the NSA’s own in-house video studio. That is a sentence that you will never find in a John LeCarré novel.

As you would expect, there is a lot of vetting to make sure that none of the stories shared on the pod are classified, or would compromise future operations. No, we will not find out whether there is a quantum computer in the basement of the NSA’s Fort Meade, Maryland, headquarters. While the numbers of reviewers varied by episode, I was assured it was more than a dozen and less than a hundred.

I’ve read the transcripts for the first two episodes. The series opens with a bang, with episode 1 recounting the NSA’s role in finding Osama Bin Laden. As background to the narrative, Laing and the other guest, former director of operations Jon Darby, provide a rather detailed precis of the workings of signals intelligence, or SIGINT in spook-speak, which is the core activity of the agency. They give a once-unthinkably straightforward rundown of what the NSA calls its “production cycle”—the way it grabs signals, analyzes them, and distributes them to US officials, the military, our allies, and even some people in the private sector. The information is familiar to those who have been studying intelligence agencies, or at least reading spy novels, but for many years the NSA would confirm none of this.

The description of how SIGINT helped find Bin Laden was gripping, but I missed a journalistic toughness in the questioning. Paging Barton Gellman or our own Andy Greenberg! At one point Jon Darby said, “… the fall of 2001—that’s when we really started really looking for Bin Laden.” Since the NSA was well aware al-Qaeda had already run terror operations against the US, why not earlier? And maybe an explanation of why we were blindsided by 9/11? Another question: While it’s an inspiring triumph that we located Bin Laden, it did take over 10 years. Given how much we pay for the NSA, is that acceptable?

The second episode is about cybersecurity. It struck me as relatively vague, with a lot of talk about the importance of protecting information for the military and even the space program but fewer concrete examples. The guests talk about stopping ransomware attacks but don’t say how. I would have liked to have heard more about how the NSA works with private industry to protect our infrastructure. Or doesn’t. A few spectacular breaches in recent years exposed critical government information, including several whopping hacks of Microsoft by the Russians and the Chinese. Those didn’t make it in that episode.

Still, _No Such Podcast_ can be revealing. The Bin Laden episode had a brief but intriguing digression about encryption. (Future episodes, I am told, will dive deeper into the subject, including one about the history of cryptography.) During the 1990s the NSA had been an active opponent of strong public encryption. But at the end of the decade, the Clinton Administration seemingly ended the Crypto Wars by allowing the private sector to employ the techniques. Nowadays we’ve got the FBI and other law enforcement officials caterwauling about the danger of end-to-end encryption in software made by Apple, Meta, and others. But in this podcast, the NSA’s head of operations is not crying doomsday. To the contrary, Laing brags about how the great codebreakers at the NSA, despite the revolution in private sector cryptography, are still able to get the job done. “Our ability to impact in a positive way our nation's national security, to defend our nation, that has not changed … Every day I am a little gobsmacked at the talent that we have at this agency and the things they are able to do. That absolutely has not changed. And what else hasn't changed is, we can't tell people about it generally.” While the FBI is screaming that we’re doomed if we don’t rein in end-to-end crypto, here is the NSA saying, “We got this.”

For that reason I’ll give a thumbs-up to _No Such Podcast_. Yes, it’s kind of propagandistic—how could it be otherwise?—but despite the podcast’s selective spin on its activities, there’s more signal here than noise. As a bonus, there are no ads for energy drinks, gold bullion, or newly minted cryptocurrency tokens. Also, I’m curious to hear the NSA’s take on artificial intelligence, the subject of an upcoming episode.

Before I end my discussion with the NSA, I ask a question that is top of mind for every podcaster: Will _No Such Podcast_ be picked up for season 2? “We can neither confirm or deny,” says the unnamed person I spoke to. Now _that’s_ the NSA I know.

**Time Travel**

During the six years I spent writing _Crypto_, I begged and begged to visit the NSA, to no avail. After many months of negotiation, I finally got an official interview with a key source. It was conducted at the National Cryptologic Museum, just outside the agency’s gates. Maybe that was an early sign of the thaw that has led to this podcast. But as I documented in my book, in the NSA’s first decades, silence—and an electrified, triple-layered barbed-wire fence—enveloped all that the agency touched or dealt with.

_Since all the salient information about modern crypto was withheld from public view, outsiders could only guess what happened in “The Fort.” The NSA undoubtedly operated the most sophisticated snooping operation in the world. It was universally assumed (though never admitted) that no foreign phone call, radio broadcast, or telegraph transmission was safe from the agency’s global vacuum cleaner. Signals were sucked up and the contents analyzed with a multi-MIPS computer, combing the text for anything of value. …_

_What’s more, the NSA considered itself the sole repository of cryptographic information—not just that used by the civilian government and all the armed forces, as the law dictated, but that used by the private sector as well. Ultimately, the triple-depth fence surrounding its headquarters was not only a physical barrier but a metaphor for the NSA’s near-fanatical drive to hide information about itself and its activities. In the United States of America, serious crypto existed only behind the Triple Fence._

**Ask Me One Thing**

Chris asks, “All things considered, has the internet been a good or bad thing? Or, what percentage good or bad?”

Thanks for the question, Chris. You do realize that the internet is the big, all-encompassing blob where we all now live, right? You might as well ask whether civilization is a good thing. I can think of lots of reasons to answer in the negative, but none that would send me into a cave.

Look, a lot of us went overboard 30 years ago when we realized that the internet was going to be pervasive and revolutionary, and it seemed like an opportunity to do a constructive reset on a lot of things that stood in the way of access and equality and the generally calcified way that media operated. Some of those lofty visions came true, and some unexpected hellscapes arose. Overall, the mistake that the optimists made was somehow forgetting that it would be _people_ who would make the internet what it was, and what it would become. No matter how technology might nudge us into comity, a lot of humanity won’t go there no matter what. And the massive scale of the internet, as well as the riches to be gained, can lure even the most idealistic founders into breaking bad.

I still believe that the internet provides a pathway for the best of humanity to shine. But a lot of people are simply awful, and way too many of them are in your face all the time now. So my answer is 58-42—on the side of the good. No cave for me.

_You can submit questions to_ _mail@wired.com. Write **ASK LEVY** in the subject line._

**End Times Chronicle**

1943: Publication of Herman Hesse’s futuristic, trippy final novel, _The Glass Bead Game_. Last week: Analysis of material from a Chinese space probe reveals glass beads on the moon. Just sayin’.

**Last but Not Least**

Russia’s most feared military intelligence agency now has a cyber warfare team. A meaty subject for _No Such Podcast_!

It wasn’t the NSA but the State Department that discovered the Chinese hacker of Microsoft—and that’s just one thing Secretary of State Anthony Blinken talks about in our Big Interview.

Blinken also goes on camera as the Big Interview now has video!

WIRED hunted hidden police signals at the Democratic Convention–our own SIGINT op!

_Updated 09-06-24, 12:20 pm ET: The story was updated to correct the description of the seals in an NSA meeting room._

_Don't miss future subscriber-only editions of this column._ _**Subscribe to WIRED (50% off for Plaintext readers)**_ _today._

The NSA Has a Podcast—Here's How to Decode It

Video and audio of therapy sessions, transcripts, and other patient records were accidentally exposed in a publicly accessible database operated by the virtual medical company Confidant Health.

Thousands of people’s highly sensitive health details, including audio and video of therapy sessions, were openly accessible on the internet, new research has revealed. The cache of information, associated with a US health care firm, included more than 120,000 files and more than 1.7 million activity logs.

At the end of August, security researcher Jeremiah Fowler discovered the exposed trove of information in an unsecured database linked to virtual medical provider Confidant Health. The company, which operates across five states including Connecticut, Florida, and Texas, helps provide alcohol- and drug-addiction recovery, alongside mental health treatments and other services.

Within the 5.3 terabytes of exposed data were extremely personal details about patients that go beyond personal therapy sessions. Files seen by Fowler included multiple-page reports of people’s psychiatry intake notes and details of the medical histories. “At the bottom of some of the documents it said ‘confidential health data,’” Fowler says.

For instance, one seven-page psychiatry intake file, which appeared to be based on an hour session with a patient, details issues with alcohol and other substances, including how the patient claimed to have taken “small amounts” of narcotics from their grandparent’s hospice supply before the family member passed away. In another document, a mother describes the “contentious” relationship between her husband and son, including that while her son was using stimulants he accused her partner of sexual abuse.

The exposed health documents include some medical notes on people’s appearance, mood, memory, their medications, and overall mental status. One spreadsheet seen by the researcher appears to list Confidant Health members, the number of appointments they’ve had, the types of appointment, and more.

“There’s some heartbreaking, really painful family trauma, personal trauma,” Fowler says, adding that some of the files were audio and videos of patient sessions. “It’s almost like having your deepest darkest secrets that you've told your diary revealed, and it's things that you never want to get out.”

Alongside the medical files in the exposed database were administration and verification documents, including copies of driver’s licenses, ID cards, and insurance cards, Fowler says. The logs also contained indications that some data is collected by chatbots or artificial intelligence, making references to prompts and AI responses to questions.

Confidant Health quickly shut off access to the exposed database after Fowler contacted the company, he says. The researcher, who alerts companies to exposed data and does not download any of it, says a proportion of the 120,000 files that were exposed had some form of password protection in place. Fowler says he reviewed around 1,000 files to verify the exposure and determine the source of the data so he could alert the company. He says it is unusual that an exposed database would include both locked and unlocked files.

In a statement to WIRED, Confidant Health cofounder Jon Read says the company takes security concerns seriously and “take\[s\] issue with the sensational nature” of the findings. Read says once the company had been notified of the “improper configuration,” access to the exposed files was “fixed in less than an hour.”

Therapy Sessions Exposed by Mental Health Care Firm’s Unsecured Database

Security researchers have discovered a cryptographic flaw that leaves the YubiKey 5 vulnerable to attack.

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-sized device vulnerable to cloning when an attacker gains temporary physical access to it, researchers said Tuesday.

The cryptographic flaw, known as a side channel, resides in a small microcontroller used in a large number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, such as the SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.

**Patching Not Possible**

YubiKey maker Yubico issued an advisory in coordination with a detailed disclosure report from NinjaLab, the security firm that reverse engineered the YubiKey 5 series and devised the cloning attack. All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable. Updating key firmware on the YubiKey isn’t possible. That leaves all affected YubiKeys permanently vulnerable.

“An attacker could exploit this issue as part of a sophisticated and targeted attack to recover affected private keys,” the advisory confirmed. “The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM; knowledge of the accounts they want to target; and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge, including username, PIN, account password, or authentication key.”

Side channels are the result of clues left in physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task that leaks cryptographic secrets. In this case, the side channel is the amount of time taken during a mathematical calculation known as a modular inversion. The Infineon cryptolibrary failed to implement a common side-channel defense known as constant time as it performs modular inversion operations involving the Elliptic Curve Digital Signature Algorithm. Constant time ensures the time-sensitive cryptographic operations execute is uniform rather than variable depending on the specific keys.

More precisely, the side channel is located in the Infineon implementation of the Extended Euclidean Algorithm, a method for, among other things, computing the modular inverse. By using an oscilloscope to measure the electromagnetic radiation while the token is authenticating itself, the researchers can detect tiny execution time differences that reveal a token’s ephemeral ECDSA key, also known as a nonce. Further analysis allows the researchers to extract the secret ECDSA key that underpins the entire security of the token.

In Tuesday’s report, NinjaLab cofounder Thomas Roche wrote:

> In the present work, NinjaLab unveils a new side-channel vulnerability in the ECDSA implementation of Infineon 9 on any security microcontroller family of the manufacturer. This vulnerability lies in the ECDSA ephemeral key (or nonce) modular inversion, and, more precisely, in the Infineon implementation of the Extended Euclidean Algorithm (EEA for short). To our knowledge, this is the first time an implementation of the EEA is shown to be vulnerable to side-channel analysis (contrarily to the EEA binary version). The exploitation of this vulnerability is demonstrated through realistic experiments and we show that an adversary only needs to have access to the device for a few minutes. The offline phase took us about 24 hours; with more engineering work in the attack development, it would take less than one hour.
> 
> After a long phase of understanding Infineon implementation through side-channel analysis on a Feitian 10 open JavaCard smartcard, the attack is tested on a YubiKey 5Ci, a FIDO hardware token from Yubico. All YubiKey 5 Series (before the firmware update 5.7 11 of May 6th, 2024) are affected by the attack. In fact all products relying on the ECDSA of Infineon cryptographic library running on an Infineon security microcontroller are affected by the attack. We estimate that the vulnerability exists for more than 14 years in Infineon top secure chips. These chips and the vulnerable part of the cryptographic library went through about 80 CC certification evaluations of level AVA VAN 4 (for TPMs) or AVA VAN 5 (for the others) from 2010 to 2024 (and a bit less than 30 certificate maintenances).

In an online interview, Roche elaborated:

> Infineon produces “security microcontrollers” or “secure elements.” You can find many of them out there. Some of them (and this is the case for YubiKey 5 Series) run the Infineon cryptographic library (that Infineon develops for their customers that do not want to develop their own).
> 
> This cryptolibrary is highly confidential (even its API is secret, you need to sign an NDA with Infineon just to know the API). Nobody, but Infineon, knows the cryptolibrary details and notably its countermeasures choices.
> 
> This cryptolibrary, as many others, implement the ECDSA (core crypto function of FIDO, but also used in many different applications/protocols). Inside the ECDSA scheme, there are several sub-functions calls, one of them is the modular inversion of the ECDSA ephemeral key. This is a very sensitive operation: any information leaking about the ECDSA ephemeral key would eventually reveal the ECDSA secret key.
> 
> In the Infineon cryptolibrary the modular inversion is not constant time: different ephemeral key will lead to different inversion execution time. When acquiring the electromagnetic radiation of a chip running this function one can extract tiny differences of execution times throughout the inversion computation. These small timing leakages allow us to extract the ephemeral key and then the secret key.

The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out only by nation-states or other entities with comparable resources, and then only in highly targeted scenarios. The likelihood of such an attack being used widely in the wild is extremely low. Roche said that two-factor-authentication and one-time password functionalities aren't affected: because they don't use the vulnerable part of the library.

Tuesday's report from NinjaLab outlines the full flow of the cloning attack as:

1.  The adversary steals the login and password of a victim’s application account protected with FIDO (e.g., via a phishing attack).
2.  The adversary gets physical access to the victim’s device during a limited time frame without the victim noticing.
3.  Thanks to the stolen victim’s login and password (for a given application account), the adversary sends the authentication request to the device as many times as is necessary while performing side-channel measurements.
4.  The adversary quietly gives back the FIDO device to the victim.
5.  The adversary performs a side-channel attack over the measurements and succeeds in extracting the ECDSA private key linked to the victim’s application account.
6.  The adversary can sign in to the victim’s application account without the FIDO device and without the victim noticing. In other words, the adversary created a clone of the FIDO device for the victim’s application account. This clone will give access to the application account as long as the legitimate user does not revoke its authentication credentials.

The list, however, omits a key step, which is tearing down the YubiKey and exposing the logic board housed inside. This likely would be done by using a hot air gun and a scalpel to remove the plastic key casing and expose the part of the logic board that acts as a secure element storing the cryptographic secrets. From there, the attacker would connect the chip to hardware and software that take measurements as the key is being used to authenticate an existing account. Once the measurement-taking is finished, the attacker would seal the chip in a new casing and return it to the victim.

Left: a YubiKey 5Ci intact; Right: the logic board found inside.

Courtesy of NinjaLab

Two images showing how the electromagnetic radiation is measured using a probe.

Courtesy of NinjaLab

The attack and underlying vulnerability that makes it possible are almost entirely the same as that allowed NinjaLab to clone Google Titan keys in 2021. That attack required physical access to the token for about 10 hours.

The attacks violate a fundamental guarantee of FIDO-compliant keys, which is that the secret cryptographic material they store can’t be read or copied by any other device. This assurance is crucial because FIDO keys are used in various security-critical environments, such as those in the military and corporate networks.

That said, FIDO-compliant authentication is among the most robust forms of authentication, one that’s not susceptible to credential phishing or adversary-in-the-middle attacks. As long as the key stays out of the hands of a highly skilled and well-equipped attacker, it remains among the strongest forms of authentication. It’s also worth noting that cloning the token is only one of two major steps required to gain unauthorized access to an account or device. An attacker also must obtain the user password used for the first factor of authentication. These requirements mean that physical keys remain among the most secure authentication methods.

To uncover the side channel, the researchers reverse engineered the Infineon cryptographic library, a heavily fortified collection of code that the manufacturer takes great pains to keep confidential. The detailed description of the library is likely to be of intense interest to cryptography researchers analyzing how it works in other security devices.

People who want to know what firmware version their YubiKey runs can use the Yubico Authenticator app. The upper-left corner of the home screen displays the series and model of the key. In the example below, from Tuesday’s advisory, the YubiKey is a YubiKey 5C NFC version 5.7.0.

YubiKeys provide optional user authentication protections, including the requirement for a user-supplied PIN code or a fingerprint or face scan. For the cloning attack to work against YubiKeys using these additional measures, an attacker would need to possess the user verification factor as well. More information about using these additional measures to lock down YubiKeys further is available here.

A key question that remains unanswered at the moment is what other security devices rely on the three vulnerable Infineon secure modules and use the Infineon cryptolibrary? Infineon has yet to issue an advisory and didn't respond to an email asking for one. At the moment, there is no known CVE for tracking the vulnerability.

_This story originally appeared on_ _Ars Technica._

YubiKeys Are a Security Gold Standard—but They Can Be Cloned

Unit 29155 of Russia’s GRU military intelligence agency—a team responsible for coup attempts, assassinations, and bombings—has branched out into brazen hacking operations with targets across the world.

Russia's military intelligence agency, the GRU, has long had a reputation as one of the world's most aggressive practitioners of sabotage, assassination, and cyber warfare, with hackers who take pride in working under the same banner as violent special forces operators. But one new group within that agency shows how the GRU may be intertwining physical and digital tactics more tightly than ever before: a hacking team, which has emerged from the same unit responsible for Russia's most notorious physical tactics, including poisonings, attempted coups, and bombings inside Western countries.

A broad group of Western government agencies from countries including the US, the UK, Ukraine, Australia, Canada, and five European countries on Thursday revealed that a hacker group known as Cadet Blizzard, Bleeding Bear, or Greyscale—one that has launched multiple hacking operations targeting Ukraine, the US, and other countries in Europe, Asia, and Latin America—is in fact part of the GRU's Unit 29155, the division of the spy agency known for its brazen acts of physical sabotage and politically motivated murder. That unit has been tied in the past, for instance, to the attempted poisoning of GRU defector Sergei Skripal with the Novichok nerve agent in the UK, which led to the death of a bystander, as well as another assassination plot in Bulgaria, the explosion of an arms depot in the Czech Republic, and a failed coup attempt in Montenegro.

Now that infamous section of the GRU appears to have developed its own active team of cyber warfare operators—distinct from those within other GRU units such as Unit 26165, broadly known as Fancy Bear or APT28, and Unit 74455, the cyberattack-focused team known as Sandworm. Since 2022, GRU Unit 29155's more recently recruited hackers have taken the lead on cyber operations, including with the data-destroying wiper malware known as Whispergate, which hit at least two dozen Ukrainian organizations on the eve of Russia's February 2022 invasion, as well as the defacement of Ukrainian government websites and the theft and leak of information from them under a fake “hacktivist” persona known as Free Civilian.

Cadet Blizzard's identification as a part of GRU Unit 29155 shows how the agency is further blurring the line between physical and cyber tactics in its approach to hybrid warfare, according to one of multiple Western intelligence agency officials whom WIRED interviewed on condition of anonymity because they weren't authorized to speak using their names. “Special forces don’t normally set up a cyber unit that mirrors their physical activities,” one official says. “This is a heavily physical operating unit, tasked with the more gruesome acts that the GRU is involved in. I find it very surprising that this unit that does very hands-on stuff is now doing cyber things from behind a keyboard.”

In addition to the joint public statement revealing Cadet Blizzard's link to the GRU's unit 29155, the US Cybersecurity and Infrastructure Security Agency published an advisory detailing the group's hacking methods and ways to spot and mitigate them. The US Department of Justice indicted five members of the group by name, all in absentia, in addition to a sixth who had been previously charged earlier in the summer without any public mention of Unit 29155.

“The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion,” the US Justice Department's assistant attorney general Matthew G. Olsen wrote in a statement. “Today’s indictment underscores that the Justice Department will use every available tool to disrupt this kind of malicious cyber activity and hold perpetrators accountable for indiscriminate and destructive targeting of the United States and our allies.”

The US State Department also posted a $10 million reward for information leading to the identification or location of members of the group, along with their photos, to its Rewards for Justice website.

A State Department poster offering $10 million for information leading to the identification or location of the five GRU unit 29155 hackers.Courtesy of the US State Department

Beyonds its previously known operations against Ukraine, Western intelligence agency officials tell WIRED that the group has also targeted a wide variety of organizations in North America, Eastern and Central Europe, Central Asia, and Latin America, such as transportation and health care sectors, government agencies, and “critical infrastructure” including “energy” infrastructure, though the officials declined to offer more specific information. The officials told WIRED that in some cases, the 29155 hackers appeared to be preparing for more disruptive cyberattacks akin to Whispergate, but didn't have confirmation that any such attacks had actually taken place.

The US Department of State in June separately revealed that the same GRU hackers who carried out Whispergate also sought to find hackable vulnerabilities in US critical infrastructure targets, “particularly the energy, government, and aerospace sectors.” The DOJ's newly unsealed indictment against the 29155 hackers alleges they probed the network of a US government agency in Maryland 63 times—though without revealing whether any such probes were success—as well as searching for vulnerabilities in the networks of targets in no fewer than 26 NATO countries.

In many cases, the 29155 hackers' intention appeared to be military espionage, according to Western intelligence agency officials. In a Central European country, for instance, they say the group breached a railway agency to spy on train shipments of supplies to Ukraine. In Ukraine itself, they say, the hackers compromised consumer surveillance cameras, perhaps to gain visibility on movement of Ukrainian troops or weapons. Ukrainian officials have previously warned that Russia has used that tactic to target missile strikes, though the intelligence officials who spoke to WIRED didn't have evidence that 29155's operations specifically had been used for that missile targeting.

The Western intelligence agency sources say that GRU Unit 29155's hacking team was formed as early as 2020, though until recent years it primarily focused on espionage rather than more disruptive cyberattacks. The creation of yet another hacking group within the GRU might seem superfluous, given that the GRU's preexisting teams units such as Sandworm and Fancy Bear have long been some of the world's most active and aggressive players in cyber warfare and espionage. But Western intelligence agency officials say that Unit 29155 was likely driven to seek its own specialized hacking team due to internal competition within the GRU, as well as the group's growing clout following the perceived success of its operations—even the botched Skripal assassination attempt. “The Skripal poisoning gave them a lot of attention and a lot of mandate,” one official says. “We assess it’s very likely that’s resulted in them getting a lot of more funds and the resources to attract the capability to start a cyber unit. Success is measured differently in the Western world and Russia.”

According to the Western intelligence officials who spoke to WIRED, the 29155 hacking group is composed of just 10 or so individuals, all of whom are relatively young GRU officers. Several individuals participated in hacking “Capture the Flag” competitions—competitive hacking simulations that are common at hacker conferences—prior to joining the GRU, and may have been recruited from those events. But the small team has also partnered with Russian cybercriminal hackers in some cases, the officials say, expanding their resources and in some instances using commodity cybercriminal malware that has made its operations more difficult to attribute to the Russian state.

One example of those criminal partnerships appears to be with Amin Timovich Stigal, a Russian hacker indicted by the US in absentia in June for allegedly aiding in Cadet Blizzard's Whispergate attacks on the Ukrainian government. The US State Department has also issued a $10 million reward for information leading to Stigal's arrest.

In addition to reliance on criminal hackers, other signs of Cadet Blizzard's level of technical skill appear to fit with intelligence officials' description of a small and relatively young team, according to one security researcher who has closely tracked the group but asked not to be named because they weren't authorized by their employer to speak about their findings. To gain initial access to target networks, the hackers largely exploited a handful of known software vulnerabilities and didn't use any so-called zero-day vulnerabilities—previously unknown hackable flaws—according to the researcher. “There’s probably not a lot of hands-on experience there. They’re following a very common operating procedure,” says the researcher. “They just figured out the exploit du jour that would give them the most mileage in their chosen domains, and they stuck with it.” In another instance of the group's lack of polish, a map of Ukraine that had been included in their defacement images and posted to hacked Ukrainian websites included the Crimean peninsula, which Russia has claimed as its own territory since 2014.

Sophistication aside, the researcher also notes that the 29155 hackers in some cases compromised their targets by breaching IT providers that serve Ukrainian and other Eastern European firms, giving them access to victims' systems and data. “Instead of kicking the front door down, they’re trying to blend in with legitimate trusted channels, trusted pathways into a network,” the researcher says.

The security researcher also notes that unlike hackers in other GRU units, Cadet Blizzard appears to have been housed in its own building, separate from the rest of the GRU, perhaps to make the team harder to link to the Unit 29155 of which they're a part. Combined with the group's command structure and criminal partnerships, it all suggests a new model for the GRU's approach to cyber warfare.

“Everything about this operation was different,” the researcher says. “It’s really going to pave the way for the future of what we see from the Russian Federation.”

_Update 9/6/2024 3:05pm ET: This story has been updated to reflect that the attempted poisoning Sergei Skripal led to the death of one bystander rather than two._

Russia’s Most Notorious Special Forces Unit Now Has Its Own Cyber Warfare Team

With 20,000 internet providers across the country, the technical challenges of blocking X in Brazil mean some connections are slipping through the cracks.

The social network X has been largely inaccessible in Brazil since Saturday, after the country's Supreme Court ordered all mobile and internet service providers to block the platform. The court order followed a months-long dispute between Judge Alexandre de Moraes and X CEO Elon Musk over the company's misinformation, hate speech, and moderation policies.

With Brazil's population of 215 million people, its mature democracy, its sprawling land mass, and more than 20,000 internet service providers, blocking a web platform in the South American nation isn't straightforward. And while the biggest ISPs have implemented the ban, many are still scrambling to comply with the order, leaving a patchwork of access to the site.

“Brazil has made headway blocking X on the main internet providers, but our telemetry indicates there’s a long tail of local and regional ISPs where the service is still available,” says Isik Mater, director of research at the internet censorship analysis group NetBlocks.

The Open Observatory of Network Interference reported that a similar progression played out when Brazil’s Federal Police obtained a court order in April 2023 for ISPs to block the communication platform Telegram because it would not fully share information about users involved in neo-Nazi group chats. Some large ISPs began blocking Telegram immediately. “However, the block was not implemented by all ISPs in Brazil, nor was it implemented in the same way,” the group wrote. “This suggests lack of coordination between providers, and that each ISP implemented the block autonomously.”

A similar progression has been playing out with the X ban. Brazil's 20,000 ISPs produce a notably competitive market, but only a few have infrastructure nationwide. About 40 percent are tiny regional providers with 5,000 customers or fewer. The human and digital rights watchdog Freedom House rates Brazil's internet freedom as “partly free” and trending to be more restrictive, because of the country's far-reaching efforts to crack down on political misinformation in recent years and its three-day ban on Telegram. Brazil also blocked the secure communication platform WhatsApp in December 2015 and again in May 2016 because it did not respond to similar data requests.

Brazil's National Telecommunications Agency did not respond to WIRED's multiple requests for comment.

Unlike in countries including Russia, Iran, and China, there is currently no legal apparatus or technical infrastructure by which the Brazilian government can systematically and comprehensively restrict access to particular websites or online platforms, or impose connectivity blackouts on its citizens.

Reports indicate many Brazilian ISPs that have implemented the ban are using the technique known as “DNS filtering” to block access to X. The domain name system is the internet's phonebook for looking up the IP addresses associated with URLs such as www.wired.com. DNS queries are sent to a DNS “resolver” that does the IP address lookups, and ISPs can configure their resolvers to filter or block requests for particular websites.

Mobile apps like X's Android and iOS apps don't rely on DNS, though, so DNS filtering alone is not enough to block all connections to a web platform. Some Brazilian ISPs seem to also be using IP address “sinkholing”—redirecting online traffic to a different server than the users intended to visit—as a way to send traffic meant for X into the abyss.

“We’re seeing variation by provider in Brazil, and right now it looks they’re each trying their own thing to see what works,” NetBlocks’ Mater says. “Brazil has a diverse network infrastructure with lots of ways for data to enter and leave the country, so there isn’t that centralized choke point and ‘kill switch’ we see in \[some\] authoritarian-leaning countries.”

VPN usage has surged in Brazil this week under the ban as a way around ISP attempts to block X, but the court order ban includes a provision stating people could be charged a fine of 50,000 reais—around $8,900—per day for using circumvention tools like VPNs.

Why It's So Hard to Fully Block X in Brazil

Using special software, WIRED investigated police surveillance at the DNC. We collected signals from nearly 300,000 devices, revealing vulnerabilities for both law enforcement and everyday citizens alike.

As thousands took to the streets during August’s Democratic National Convention in Chicago to protest Israel’s deadly assault on Gaza, a massive security operation was already underway. US Capitol Police, Secret Service, the Department of Homeland Security’s Homeland Security Investigations, sheriff’s deputies from nearby counties, and local officers from across the country had descended on Chicago and were all out in force, working to manage the crowds and ensure the event went off without any major disruptions.

Amid the headlines and the largely peaceful protests, WIRED was looking for something less visible. We were investigating reports of cell site simulators (CSS), also known as IMSI catchers or Stingrays, the name of one of the technology’s earliest devices, developed by Harris Corporation. These controversial surveillance tools mimic cell towers to trick phones into connecting with them. Activists have long worried that the devices, which can capture sensitive data such as location, call metadata, and app traffic, might be used against political activists and protesters.

Armed with a waist pack stuffed with two rooted Android phones and three Wi-Fi hot spots running CSS-detection software developed by the Electronic Frontier Foundation, a digital-rights nonprofit, we conducted a first-of-its-kind wireless survey of the signals around the DNC.

WIRED attended protests across the city, events at the United Center (where the DNC took place), and social gatherings with lobbyists, political figures, and influencers. We spent time walking the perimeter along march routes and through planned protest sites before, during, and after these events.

In the process we captured Bluetooth, Wi-Fi, and cellular signals. We then analyzed those signals looking for specific hardware identifiers and other suspicious signs that could indicate the presence of a cell-site simulator. Ultimately, we did not find any evidence that cell-site simulators were deployed at the DNC. Nevertheless, when taken together, the hundreds of thousands of data points we accumulated in Chicago reveal how the invisible signals from our devices can create vulnerabilities for activists, police, and everyone in between. Our investigation revealed signals from as many as 297,337 devices, including as many as 2,568 associated with a major police body camera manufacturer, five associated with a law enforcement drone maker, and a massive array of consumer electronics like cameras, hearing aids, internet-of-things devices, and headphones.

WIRED often observed the same devices appearing in different locations, revealing their operators’ patterns of movement. For example, a Chevrolet Wi-Fi hotspot, initially located in the law-enforcement-only parking lot of the United Center, was later found parked on a side street next to a downtown Chicago demonstration. A Wi-Fi signal from a Skydio police drone that hovered above a massive anti-war protest was detected again the next day above the Israeli consulate. And Axon police body cameras with identical hardware identifiers were detected at various protests occurring days apart.

“Surveillance technologies leave traces that can be discovered in real time,” says Cooper Quintin, a senior staff technologist at the EFF. Regardless of the specific technologies WIRED detected, Quintin notes that the ability to identify police technology in real time is significant. “Many of our devices are beaconing in ways that make it possible to track us through wireless signals,” he says. While this makes it possible to track police, Quintin says, “this makes protesters similarly vulnerable to the same types of attacks.”

The signals we collected are a byproduct of our extremely networked world and demonstrate a pervasive and unsettling reality: Military, law enforcement, and consumer devices constantly emit signals that can be intercepted and tracked by anyone with the right tools. In the context of high-stakes scenarios such as election events, gatherings of high-profile politicians and other officials, and large-scale protests, the findings have implications for law enforcement and protesters alike.

WIRED initially focused on finding cell-site simulators due to the secrecy around their use, especially at protests. Cell-site simulators work by tricking nearby phones, cars, and other devices that use cellular infrastructure into connecting to them. They can be used on planes or retrofitted onto trucks.

The dragnet surveillance tool has largely been used by law enforcement to track a specific target’s location, but due to the indiscriminate way it functions, the devices will log the IMSI (international mobile subscriber identity) numbers, unique to each SIM card, of every single device that connects to it.

For years, protesters have suspected that the surveillance technology has been deployed against them during demonstrations. In 2014, following a wave of protests in Chicago over a grand jury's decision not to indict Ferguson, Missouri, police officer Darren Wilson for fatally shooting Michael Brown, a Black teenager, activists overheard a police officer on a scanner asking another officer if he was gathering information from the protest organizer’s phone. Protesters at the time believed this to be a sign that an IMSI-catcher was deployed.

In Illinois, local law enforcement is required to obtain a warrant to use cell-site simulators. However, according to the ACLU of Illinois, the public is not able to verify whether the Chicago Police Department complies with this law, as CPD lawyers have instructed technicians managing cell-site simulators not to keep a log of their use.

Similarly, federal agents, including those from Homeland Security at the DNC, are also required to secure warrants before deploying one of the devices, except in the in cases of immediate threats to national security. A 2023 DHS Inspector General report found, however, that both the Secret Service and Homeland Security Investigations did not always do so.

Given that some lawmakers have attempted to link American anti-war demonstrators to groups like Hamas, which is classified as a terrorist organization by the US government, demonstrators have been concerned that cell-site simulators will get deployed against them. “They think we are terrorists, so they treat us like terrorists,” an anti-war protester who declined to give their name told WIRED at a protest on the first day of the DNC. They say that they wouldn’t be surprised if any of the law enforcement agencies present at the DNC were using an IMSI-Catcher. “I feel my phone getting hot, and I know they are watching.”

For years, the EFF has been developing tools to detect cell-site simulators. In 2019, it released Crocodile Hunter, which uses software-defined radios to identify unusual activity from 4G towers in a specific area. More recently, Quintin, and Will Greenberg, another staff technologist at the EFF, started working on a cheaper and more user-friendly tool called Ray Hunter, designed to detect unusual cellular activity in a similar way.

WIRED worked with Quintin and Greenberg to install Ray Hunter on three wireless hots pots, which allowed reporters to walk around the DNC and related events in Chicago to attempt to detect whether the devices connected to cell-site simulators.

The Rayhunter software works by detecting three key indicators based on a review of academic literature about how cell-site simulators work. First, it checks if the network you're connected to tries to force a downgrade to 2G, which has less security than a 4G or 5G connection. Second, it detects if the network asks your device for an IMSI number. Finally, the software checks if the network requests a "null cipher," a technical term for asking your phone not to use encryption between the phone and the tower.

According to CSS documentation obtained through public records requests, some CSS allow users to connect via Bluetooth or Wi-Fi. So alongside Ray Hunter, WIRED used two rooted Android phones running an app called Wigle, which logs the GPS coordinates of Bluetooth, mobile, and Wi-Fi signals that the phone encounters. This setup enabled us to collect and store data on observed Wi-Fi and Bluetooth activity. Neither phone connected to any Wi-Fi or cellular network, nor did they upload any data to the cloud. We analyzed the data locally.

WIRED focused on identifying MAC addresses, which are unique identifiers assigned to network devices, and OUIs (organizationally unique identifiers), which are usually the first three bytes of a MAC address. We looked for any OUIs of known CSS manufacturers like Harris, KeyW, Jacobs, and Digital Receiver Technology.

One of our first stops in Chicago was at Union Park, where a coalition of political and community organizations had planned a march to call for an end of US aid to Israel.

On Monday afternoon, a smaller-than-expected but still massive crowd of thousands of protesters prepared to march toward the DNC to protest Israel’s deadly siege of Gaza. Hundreds of Chicago police on bicycles lined the approved route, ready to respond. Farther down the planned route, Secret Service agents and other DHS officers observed the demonstration. The march started off peacefully, but by 4:30 pm local time, tensions escalated.

A small group of protesters breached the first of two security fences around the United Center. As some tore down sections of the fence, others climbed over and faced off with law enforcement standing behind the second barrier. Police began photographing the protesters tearing down the barricades, and a CPD helicopter circled as low as 650 feet, according to publicly available flight data WIRED reviewed at the time. CBS later reported 13 arrests from the first day of the convention.

While Rayhunter didn’t pick up any suspicious cellular infrastructure, our other equipment detected three new cell towers that hadn’t been there the day before. According to Quintin, because Rayhunter did not detect any suspicious behaviors, these towers were likely “cell on wheels,” aka COWs, temporary cell towers that companies roll out to provide extra cellular coverage during large events.

Leaving the protest, our Android detected a Wi-Fi network named Skydio X10-c9z2 with a hardware identifier associated with Skydio, a California-based company that sells drones to law enforcement. Skydio equipment has been used as part of Drone as First Responder programs around the country for years. According to marketing material, the Skydio X10 is equipped with multiple high-resolution cameras, including thermal imaging, powerful zoom capabilities, and onboard AI. It’s unclear which agency the drone belongs to.

CPD did not respond to WIRED’s questions about the Skydio drone.

It wasn’t just American law enforcement we suspected may deploy cell-site simulators. In 2019, the FBI alleged that Israel had placed one near the White House—a claim Israel has denied. Similarly, in 2016, protesters opposing the Dakota Access Pipeline suspected that a private security firm, TigerSwan, had used one against them.

On Tuesday of the DNC, an unpermitted protest organized by a self-described militant anti-imperialist group called Behind Enemy Lines was scheduled to take place outside the Israeli Consulate at the Accenture Tower, located two miles east of the United Center. Hours before the planned demonstration, police had already saturated the area. CPD officers on bicycles lined both sides of Madison Street in front of the building’s entrance, while the surrounding plaza served as a staging area for additional officers, who mingled with Secret Service and other DHS personnel.

Data collected by our fanny pack detected a Skydio drone near the Israeli consulate matching the hardware identifiers we identified the previous day. WIRED detected no cell-site simulators near the Israeli consulate.

By 7 pm, approximately 200 protesters had gathered outside the consulate. After a few speeches, tensions escalated as some protesters attempted to continue marching, leading to confrontations with the officers. Outnumbered by both police and journalists, more than 50 people were arrested, including three reporters.

WIRED could not determine the exact number of officers deployed at the protest, and CPD has yet to respond to our request for comment. However, our analysis of Bluetooth signals collected from the Android devices detected hardware identifiers associated with Axon, formerly Taser International, from as many as 720 different devices. Axon develops technology for law enforcement, including Tasers, body cameras, evidence management systems, and other software. The signals we observed were most likely from body-worn cameras used by officers during the demonstration.

The trackability of Axon’s body cameras is a known vulnerability. Last year at the Defcon hacker conference, Alan “Nullagent” Meekins and Roger “RekcahDam” Hicks, cofounders of the Bluetooth tracking platform RFParty, demonstrated that their platform could decipher signals emitted by body cameras, allowing them to detect the presence and approximate position of police officers.

In an email, Axon spokesperson Victoria Keough said that some Axon products have wireless features that enable real-time monitoring of officers during patrols and critical incidents. “While BLE \[ Bluetooth Low Energy \] and other wireless communications can be susceptible to monitoring from other nearby devices, the benefits of BLE in ensuring incidents are captured with maximum visibility are crucial to public safety,” she wrote. Keough added that the current generation body-worn cameras offer the ability to be in “airplane mode” for specific tactical situations.

WIRED’s wireless survey appears to confirm Meekins and Hicks’ findings. Over the course of six days at the DNC, we detected signals from as many as 2,568 different Axon devices. Mapping these signals reveals information about where we encountered police and how they were deployed. For instance, the day after the incident at the Israeli consulate, we returned to the park where protesters had broken through barricades on Monday. Ahead of another planned protest, we found officers blocking entry to the park, designated a “free speech zone” by the city. On a map, a chain of closely clustered circles shows how tightly officers on bikes had formed a perimeter around the side of the park facing the expected protest route.

CPD did not respond to WIRED’s request for comment.

WIRED is not publishing the data collected for this story, partially because of how law enforcement could be able to use that data to identify devices at protests. “This is a known issue within the cybersecurity community,” Quintin of the EFF says. “I think police are starting to get wise to the fact that this is a technique they can use to find people. I wouldn’t be surprised if Bluetooth and wireless tracking is the next big wave of police technology.”

A company called Latent Wireless may be a pioneer in Wi-Fi signal tracking for law enforcement. Founded in 2019 by David Schwindt, a former police officer, Jeff Bromberger, and Peter Scott, both computer scientists, the company developed a Wi-Fi dongle that connects to patrol car computers. This device passively scans and analyzes metadata from Wi-Fi signals encountered by the car and matches detected MAC addresses against a list of stolen electronics or devices linked to criminals or missing persons. If a match is found, the system alerts officers, who can then use a directional antenna to locate the signal’s source.

In one instance that Schwindt and Bromberger shared with WIRED, local police used software from Latent Wireless to locate a suspect in an office building knowing only the MAC address of the employee’s device. In another case, a robber connected to a Wi-Fi network at a local coffee shop before committing a crime. Police identified the MAC address of his device through the coffee shop’s router logs and eventually tracked him down by detecting the signal from that device as they drove around.

Schwindt and Bromberger emphasize that privacy is a priority for the Latent Wireless. They avoid bulk data collection, do not attempt to decrypt traffic, and do not store the locations of observed MAC addresses unless they’re on the hot list.

On Wednesday evening, hundreds of protesters gathered for another march toward the United Center. Thirty minutes after the speakers began addressing the crowd, the thumping of a CPD helicopter's rotors overhead interrupted them. The aircraft, a Bell 206L-4 LongRanger IV or a similar model, circled low—at 500 feet, according to flight data. Its tail number, N911YY, was clearly visible. Something appeared to protrude from a window.

Among the demonstrators, a man in a DHS vest weaved through the crowd, eyes scanning as he spoke into his phone. Curious about what the helicopter might be up to, I asked a freelance photographer, Wali Khan, to try to capture an image with his telephoto lens of whatever was sticking out of the door. Unfortunately, the helicopter was too far away to get a clear picture.

The helicopter circled for about half an hour. Despite my repeated attempts, the Chicago Police Department has yet to respond to my request for records regarding the helicopter’s mission that evening. What is clear, however, is the impact it had on those below. The hovering presence interrupted speeches, causing more than one protester I spoke with to wonder whether they were being singled out. Some people thought the officer was sticking a rifle out the window, while others assumed it was a camera.

None of WIRED’s devices picked up the hidden connections of cell-site simulators that day, or throughout the entire trip, but there were times like this when the surveillance was impossible to miss. “If what comes out of this is that activists spend less time worrying about protecting themselves from IMSI catchers and more time protecting themselves from drones, cameras, and things we know are being used,” Quintin says, “that’s a good outcome.”

_Additional reporting by Makena Kelly_

We Hunted Hidden Police Signals at the DNC

Activists claim Japanese industrial robots are being used to build military equipment for Israel. The robot maker denies the claims, but the episode reveals the complex ethics of global manufacturing.

Activists in Japan earlier this year accused one of the country’s largest robotics manufacturers of profiting off the war in Gaza, accusing it of violating its own company policies in aiding the Israeli defense industry.

At a protest outside the headquarters of FANUC Corporation earlier this summer, the Boycott, Divestment, and Sanctions (BDS) protesters demanded the Japanese conglomerate cut off ties with Israel and all the defense companies that contribute to Israel's military.

“We also call on FANUC not to be further complicit in genocide, war crimes, and crimes against humanity,” Taizo Imano, one of the protest organizers, said in June.

Specifically, Imano and the rest of the BDS activists believe Japan is breaching its own export controls. If true, it would significantly alter how Israel acquires high-end machinery for its defense sector. He further believes that “selling such products to a country that continues to commit genocide is itself a violation of international laws and obligations.” Experts say it may not be so simple.

FANUC has flatly rejected that claim. (And Israel has denied claims that it is committing genocide against Palestinians.) While the company has not responded to WIRED’s litany of requests for comment, a spokesperson for FANUC told HuffPost’s Japanese-language site in March that “when we sell products for Israel, we will carry out the necessary transaction screening.” If the end use of the technology is for military use, they wrote, the company will decide “not to sell.”

The activists, however, highlight how blurry the line between civilian and military technology has grown in recent years—and how difficult it can be to foresee the ways this kind of technology will be used one, two, or 15 years into the future. Trade lawyers consulted by WIRED say the law is both clear and outdated.

FANUC, based in Yamanashi Prefecture, is one of the largest robotics companies in the world, posting nearly $6 billion in sales during the 2023 fiscal year. The company’s robotic arms and automated systems are ubiquitous on automotive assembly plants, capable of doing the high-accuracy welding and laser work necessary in aerospace manufacturing, and have become commonplace in plastics, packaging, and a variety of other sectors.

As one of the world’s largest robotics companies, FANUC has also historically exported its kit to the North America and European defense industry. Its robots have been part of the F-35 manufacturing process for more than a decade; it previously worked with GE to produce onboard electronics for the M1A2 Abrams tank; FANUC robots are used in Raytheon’s missile production in Arizona; and it helped the United Kingdom create a quick and efficient production process for its 155-mm artillery shells.

Plenty of technologies that have such clear civilian and military use are classified as “dual use” technologies. While that designation can mean different things in different contexts, export control regimes are generally designed to ensure the use of this technology is controlled and monitored. Countries may exempt friendly nations from these sort of export requirements.

Japan, for example, makes it relatively easy to export dual-use technologies to the United States and Europe, and vice versa. Because they are recognized as trusted countries under Japanese export law, companies in those states are generally free to use Japanese dual-use technology to produce arms—and to, in turn, export those arms to other states (subject to their own export controls).

This, itself, has drawn the BDS activists’ ire: They want FANUC to end its relationship with American defense contractors like General Dynamics and Lockheed Martin, which sell considerable advanced weaponry to Israel. “We demand that such business relationships be immediately terminated and that the two companies never do business with each other again,” Imano said in June. But the activists go further, arguing that FANUC is, despite what it says publicly, actually doing business with Israeli defense firms.

“FANUC sells its robots and provides maintenance and inspection services to Israeli military companies such as Elbit Systems,” Imano claimed.

FANUC has denied this charge. “When we sell products to Israel, we carry out the necessary transaction screening in accordance with Japan's Foreign Exchange and Foreign Trade Act, confirm the user's business activities and intended use, and do not sell to Israel if the products are for military use,” the company wrote to HuffPost.

The company added that, after reviewing their records of the past five years, “we have not sold any products for military use to the Israeli companies Elbit Systems, IAI, BSEL, Rosenshine Plast, or AMI from our company or our European subsidiary. We have also not sold any products for military use to other Israeli companies from our company or our European subsidiary.” The company identified one instance where one of their robotic arms had been sold to an Israeli company that produces military hardware “after confirming that the machine was to be used for civilian medical purposes.”

At the same time, the company admitted that when they sell through intermediaries, of which Israel has several, they are not always able to guarantee “who the final customer is.”

There is, however, ample evidence that suggests FANUC arms have made their way into the Israel defense manufacturing sector. Multiple job listings posted by Elbit Systems, the primary domestic supplier of the Israel Defense Forces, list “knowledge of FANUC … controls” as either an advantage to job applicants or a requirement. One such job listing, from June, comes from Elbit Cyclone, the division that won a contract to produce fuselage components for the F-35 fighter jet. In January, Israel's Ministry of Defense published a video showing a FANUC robotic arm at an Elbit factory, handling munitions.

Another Israeli company, Bet Shemesh Engines (BSEL), more than a decade ago created marketing videos and uploaded photos to their company website featuring the FANUC robotic arms. The CV of a former employee suggests the company used FANUC robotics to assemble aircraft engines, which may be used for civilian rather than military purposes. Bet Shemesh counts the Israeli Air Force as a major client.

These Israeli companies did not return requests for comment.

Kevin Wolf, an international trade lawyer and partner at Akin Gump Strauss Hauer & Feld, says the activists’ allegations against FANUC may not be quite so clear-cut. Wolf points to Japan’s Foreign Exchange and Foreign Trade Act, which includes a schedule of what items are controlled as dual-use technology. “If it’s on the list, it is. If it isn’t? It isn’t,” he tells WIRED.

While some categories of robotics are included in Japan’s control list—including underwater robots and those used for materials processing—there is no general category for robotic arms or numerical control devices.

Wolf says it is unlikely that Japanese export controls would cover any hypothetical FANUC exports to Elbit, even if made directly and knowingly. Another lawyer familiar with Japanese export controls offered a similar analysis.

Even if it is not a violation of Japanese law, the protesters say FANUC is also violating their own policies. The company adopted a human rights policy in 2019 that reads, in part: “When it is clear that our business has caused or engaged in negative human rights impacts, we will endeavor to remedy them.”

As Israel’s bloody war in Gaza continues, and as it risks a broader regional escalation, these kinds of pressures on companies directly or indirectly aiding Israel’s efforts are certain to continue—even if export controls do not, technically, forbid it.

The Japanese Robot Controversy Lurking in Israel’s Military Supply Chain

The Navy is testing out the Elon Musk–owned satellite constellation to provide high-speed internet access to sailors at sea. It’s part of a bigger project that’s about more than just getting online.

Life aboard a US Navy warship at sea can be stressful, boring, and lonely, with separation from friends and family and long stretches between port calls both isolating and monotonous. Now, Elon Musk is here to take the edge off.

In a now deleted press release from the Naval Information Warfare Systems Command (NAVWAR), the Navy recently announced that it is experimenting with bringing reliable and persistent high-speed internet to its surface warships. The connectivity comes via a new system developed under its Sailor Edge Afloat and Ashore (SEA2) initiative, which uses satellites from the Starlink network maintained by Musk’s SpaceX and other spaceborne broadband internet providers to maintain a constant and consistent internet connection for sailors—a system that NAVWAR says has “applications across the entire Navy.”

The US Defense Department has for decades relied on a network of aging satellites to furnish service members at sea with decidedly slow internet access, according to an updated release NAVWAR shared with WIRED. By contrast, commercial satellite constellations like Starlink and Eutelsat OneWeb, which number in the thousands and offer coverage from a significantly lower orbit, provide a far superior connection.

The resulting SEA2 system, dubbed the Satellite Terminal (transportable) Non-Geostationary (STtNG), allows a warship’s tactical feeds secure access to low-orbit satellites with a median connection speed of 30 to 50 megabits per second, according to NAVWAR. With the installation of additional Starlink antennas, the system can scale up to speeds of 1 gigabit per second.

NAVWAR said that it scrubbed its initial press release, which showed the installation of a Starlink terminal aboard the aircraft carrier USS _Abraham Lincoln_, from the Pentagon’s Defense Visual Information Distribution System (DVIDS) media portal to “address inaccuracies and ensure the information is correct,” Elisha Gamboa, a command spokesperson, told WIRED in a statement.

News of the Starlink terminal’s installation aboard the _Lincoln_ in particular came as the aircraft carrier and its associated battle group were redirected to the US Central Command area of operations in the Middle East amid increased tensions between Israel and Iran following the former’s targeted killing of a Hamas leader in Tehran.

The Navy has not yet disclosed how many surface warships have received Starlink terminals. Defense officials told DefenseScoop in April that the DOD was at the time evaluating the system aboard two deployed vessels “with aims to field those broadband-providing capabilities across a fleet of up to 200 in the future.”

Originally a “passion project” of _Lincoln_ combat systems officer Commander Kevin White, SEA2 systems were first installed aboard the next-generation aircraft carrier USS _Gerald R. Ford_ in February 2023, offering sailors the ability to quickly and easily communicate with loved ones back home no matter where they are in the world—a major boost to morale amid the doldrums of life at sea. The system even allowed hundreds of sailors to enjoy a live broadcast of Super Bowl LVIII through a normal TV streaming service aboard the warship this past year.

“Having the ability to reach out to friends or family allows our sailors the opportunity to decompress for a few minutes, and that in turn allows them to be able to operate more efficiently,” Richard Haninger, the _Ford_’s deployed resiliency educator, said following the installation of the SEA2 system aboard the carrier in February 2023. “It’s not just about reaching back to friends and family, the ability to pay a bill online, take an online class, or even just check the score of the game \[...\] all of this allows our Sailors the chance to access something that lowers their stress level, then return to work after a quick break more focused and able to complete the mission.”

But beyond morale-boosting applications, SEA2 also purportedly offers major benefits for “tactical and business applications” used by sailors on a daily basis, like, say, those used for air wing maintenance or for tracking pay and benefits. As White explained in a May release from the Navy on the initiative, most of these applications function at higher classification levels and are encrypted, but they’re still designed to operate on the commercial internet without jeopardizing information security.

“The fact that we’re not making use of that opportunity with modern technology to allow classified tactical applications to ride the commercial internet is where we are missing out, so we built \[SEA2\] to be able to do that in the future,” as White put it. “We’re close to demonstrating a couple of those applications, and I am fully confident it will be game changing.” (As of June, the Navy had not authorized the use of classified data with the system)

The Navy also expects to see broad “tangible warfighting impact” from the proliferation of SEA2 across the surface fleet, namely on “recruitment and retention, mental health, cloud services, and work stoppages due to slow and inaccessible websites,” as one service official told DefenseScoop in April.

The Navy isn’t the only service embracing Starlink to enable faster, persistent internet for deployed service members. The US Space Force signed a $70 million contract with Starlink parent company SpaceX in October 2023 to provide “a best effort and global subscription for various land, maritime, stationary and mobility platforms and users” using Starshield, the company’s name for its military products. The US Army currently remains reliant on Starlink, but the service has been casting about for fresh commercial satellite constellations to tap into for advanced command and control functions, according to Defense News. And SpaceX is actively building a network of “hundreds” of specialized Starshield spy satellites for the National Reconnaissance Office, Reuters reported earlier this year.

But Starlink is far from a perfect system, especially for potential military applications. According to a technical report obtained by The Debrief, Ukraine has claimed that Russia’s military intelligence agency has conducted “large-scale cyberattacks” to access data from the Starlink satellite constellations that have proven essential to the former’s military communications infrastructure since the start of the Russian invasion in 2022. Indeed, significant hardware vulnerabilities have imperiled Starlink terminals at the hands of experienced hackers, as WIRED has previously documented.

More importantly, there’s the matter of Musk’s ownership of Starlink. The controversial SpaceX founder had previously refused to allow Ukraine to use the satellite constellation to launch a surprise attack against Russian forces in Kremlin-controlled Crimea in September 2022, prompting concerns among Pentagon decisionmakers that a private citizen with a questionable perception of geopolitics could drastically shape US military operations during a future conflict simply by switching off service branches’ Starlink access, according to an Associated Press report last year.

“Living in the world we live in, in which Elon runs this company and it is a private business under his control, we are living off his good graces,” a Pentagon official told The New Yorker in August 2023. “That sucks.”

In a post on X responding to this article following publication, Musk asserted that “Starlink was barred from turning on satellite beams in Crimea at the time, because doing so would violate US sanctions against Russia!”

“We received an unexpected request in the middle of the night to activate Starlink in Crimea in a matter of a few hours from the Ukraine government, but received no request or permission to override sanctions from the US government,” Musk added. “Had we done as Ukraine asked, it would have been a felony violation of US law.”

Musk previously said that enabling Ukraine to use Starlink to launch its attack would make SpaceX “explicitly complicit in a major act of war and conflict escalation.”

Given these potential risks, it’s unlikely that Starlink will see deeper integration into the major tactical systems that govern the operation of a Navy warship at sea. But for the moment, it looks as though sailors will at least get a welcome reprieve from the stress and solitude of life on the high seas.

_Update 1:50 pm ET, September 3, 2024: Added comments from Elon Musk in response to this article's characterization of Starlink's refusal to enable its service for the Ukrainian military._

The US Navy Is Going All In on Starlink

Plus: China-linked hackers infiltrate US internet providers, authorities crack down on a major piracy operation, and a ransomware gang claims attacks during the Paris Olympics.

Pavel Durov, the founder and CEO of the communication app Telegram, was arrested in France on Saturday as part of an investigation into his and Telegram’s alleged failure to moderate illegal content on the platform, among other allegations. After being detained for four days, he was charged on Wednesday evening, barred from leaving France, and released on the condition of posting a €5 million ($5.5 million) bail and reporting to a French police station twice a week. The Paris prosecutor's office said on Wednesday that Durov faces complicity charges related to child sexual abuse material and drug trafficking, as well charges for importing cryptology without prior declaration, and a “near-total absence” of cooperation with French authorities.

“Nudify” deepfake websites that generate images of people's naked bodies without their consent have been incorporating mainstream single sign-on authentication systems into their websites, a WIRED investigation found. Discord and Apple are terminating some developers’ accounts over this usage.

Microsoft published research on Wednesday about a new multistage backdoor that the notorious Iranian hacking group APT 33 or Peach Sandstorm has been using to target victims in sectors including satellite, communications equipment, and oil and gas. And Google researchers found that suspected Russian hackers compromised Mongolian government websites between November 2023 and July 2024 and then infected vulnerable users who visited the sites with malware. Crucially, the attackers compromised targets using exploits that were identical or very similar to hacking tools created by the commercial spyware vendors NSO Group and Intellexa.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**CIA Says It Provided Key Intelligence to Thwart Terrorist Plot Against Vienna Taylor Swift Concert**

The US Central Intelligence Agency provided Austrian law enforcement with crucial intelligence that led to the arrest of suspects who were allegedly plotting to attack Taylor Swift concerts in Austria at the beginning of the month. All three of the singer's planned concerts were canceled at Vienna’s Ernst Happel Stadium because of the threat. CIA deputy director David Cohen said at the Insa intelligence conference on Wednesday, “Within my agency and others there were people who thought that was a really good day for Langley and not just the Swifties in my workforce.”

The central suspect is a 19-year-old Austrian of North Macedonian background who reportedly made a full confession. Austrian law enforcement also arrested an 18-year-old and a 17-year-old in relation to the plot. Cops also reportedly interrogated a 15-year-old. The plot was allegedly inspired by the Islamic State and included plans to attack fans outside the venue with knives or explosives. Earlier this month, Austrian interior minister Gerhard Karner said foreign intelligence agencies contributed to the investigation because Austrian law bars text message surveillance.

“They were plotting to kill a huge number, tens of thousands of people at this concert, including I am sure many Americans, and were quite advanced in this,” the CIA's Cohen said at the conference. “The Austrians were able to make those arrests because the agency and our partners in the intelligence community provided them information about what this ISIS-connected group was planning to do.”

**Hackers Are Compromising ISPs With Credential-Stealing Malware**

Hackers who may be backed by the Chinese government have been exploiting a recently patched vulnerability in network management virtualization software known as Versa Director to compromise at least four US-based internet service providers and steal authentication credentials used by their customers. Researchers from Lumen's Black Lotus Labs, said on Thursday that the attacks began as early as June 12 and are likely still going on. Hackers exploit the Versa Director vulnerability to install remote access malware that Lumen dubbed allow “VersaMem.”

“Given the severity of the vulnerability, the implications of compromised Versa Director systems, and the time that has now elapsed to allow Versa customers to patch the vulnerability, Black Lotus Labs felt it was appropriate to release this information at this time,” the researchers wrote in a blog post. “Lumen Technologies shared threat intelligence to warn appropriate US government agencies of the emerging risks that could impact our nation’s strategic assets.”

**Vietnamese Law Enforcement Takedown “Fmovies” Piracy Ring**

The movie studio coalition known as the Alliance for Creativity and Entertainment said on Thursday that Hanoi police have investigated and taken down the Vietnam-based pirate streaming service Fmovies and its affiliates. The working group said it collaborated with law enforcement and provided information about Fmovies, which it called “the largest pirate streaming operation in the world.” The group added that Fmovies and its affiliate sites—which included bflixz, flixtorz, movies7, myflixer, and aniwave—had more than 6.7 billion visits between January 2023 and June 2024. The law enforcement operation also led to the takedown of video hosting provider Vidsrc.to and its affiliates because these services were allegedly “operated by the same suspects.” Hanoi police have arrested two men in connection with the case.

**Brain Cipher Ransomware Gang Claims Attacks During the Olympics**

Following a digital attack against dozens of French museums during the Olympic Games earlier this month, the ransomware gang known as Brain Cipher has claimed responsibility for the hacks and is threatening to leak 300 GB of stolen data from the museums. Le Grand Palais and dozens of other French national museums and cultural organizations are overseen by Réunion des Musées Nationaux – Grand Palais and reportedly all use some shared digital infrastructure, which the attackers targeted.

Taylor Swift Concert Terror Plot Was Thwarted by Key CIA Tip

Suspected Russian hackers have compromised a series of websites to utilize sophisticated spyware exploits that are eerily similar to those created by NSO Group and Intellexa.

In recent years, elite commercial spyware vendors like Intellexa and NSO Group have developed an array of powerful hacking tools that exploit rare and unpatched “zero-day” software vulnerabilities to compromise victim devices. And increasingly, governments around the world have emerged as the prime customers for these tools, compromising the smartphones of opposition leaders, journalists, activists, lawyers, and others. On Thursday, though, Google's Threat Analysis Group is publishing findings about a series of recent hacking campaigns—seemingly carried out by Russia's notorious APT29 Cozy Bear gang—that incorporate exploits very similar to ones developed by Intellexa and NSO Group into ongoing espionage activity.

Between November 2023 and July 2024, the attackers compromised Mongolian government websites and used the access to conduct “watering hole” attacks, in which anyone with a vulnerable device who loads a compromised website gets hacked. The attackers set up the malicious infrastructure to use exploits that “were identical or strikingly similar to exploits previously used by commercial surveillance vendors Intellexa and NSO Group,” Google’s TAG wrote on Thursday. The researchers say they “assess with moderate confidence” that the campaigns were carried out by APT29.

These spyware-esque hacking tools exploited vulnerabilities in Apple's iOS and Google's Android that had largely already been patched. Originally, they were deployed by the spyware vendors as unpatched, zero-day exploits, but in this iteration, the suspected Russian hackers were using them to target devices that hadn't been updated with these fixes.

“While we are uncertain how suspected APT29 actors acquired these exploits, our research underscores the extent to which exploits first developed by the commercial surveillance industry are proliferated to dangerous threat actors,” the TAG researchers wrote. “Moreover, watering hole attacks remain a threat where sophisticated exploits can be utilized to target those that visit sites regularly, including on mobile devices. Watering holes can still be an effective avenue for … mass targeting a population that might still run unpatched browsers.”

It is possible that the hackers purchased and adapted the spyware exploits or that they stole them or acquired them through a leak. It is also possible that the hackers were inspired by commercial exploits and reverse engineered them by examining infected victim devices.

“NSO does not sell its products to Russia," Gil Lainer, NSO Groups vice president for global communications, told WIRED in a statement. “Our technologies are sold exclusively to vetted US & Israel-allied intelligence and law enforcement agencies. Our systems and technologies are highly secure and are continuously monitored to detect and neutralize external threats.”

Between November 2023 and February 2024, the hackers used an iOS and Safari exploit that was technically identical to an offering that Intellexa had first debuted a couple of months earlier as an unpatched zero-day in September 2023. In July 2024, the hackers also used a Chrome exploit adapted from an NSO Group tool that first appeared in May 2024. This latter hacking tool was used in combination with an exploit that had strong similarities to one Intellexa debuted back in September 2021.

When attackers exploit vulnerabilities that have already been patched, the activity is known as “n-day exploitation,” because the vulnerability still exists and can be abused in unpatched devices as time passes. The suspected Russian hackers incorporated the commercial spyware adjacent tools, but constructed their overall campaigns—including malware delivery and activity on compromised devices—differently than the typical commercial spyware customer would. This indicates a level of fluency and technical proficiency characteristic of an established and well-resourced state-backed hacking group.

“In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits from \[commercial surveillance vendors\], Intellexa and NSO Group,” TAG wrote. “We do not know how the attackers acquired these exploits. What is clear is that APT actors are using n-day exploits that were originally used as 0-days by CSVs.”

_Updated at 2pm ET, August 29, 2024: Added comment from NSO Group._

Source

Wired